Explorations into Wi-Fi6/E
If you keep up at all with new connectivity standards, you may have noticed a few new Wi-Fi standards, with a new naming convention. Starting with 802.11ax, the Wi-Fi Alliance has decided to make everyone's life a little easier by just calling it Wi-Fi 6. Retroactively, they're calling 802.11ac 'Wi-Fi 5'. That's better, right? Absolutely! Except Wi-Fi 6e was released shortly after, still under the 802.11ax standard. The Wikipedia page even redirects to 'Wi-Fi 6'. So what's the difference? Well, about 1 GHz.
Wi-Fi 6E introduces the availability of the 6 GHz band, which spans 5925 - 7125 MHz (5.9 - 7.1 GHz). This turned tooling on its head. Not only would we need a new series of wireless NICs capable of monitor mode and packet injection, but many tools are set to check the 2.4 GHz band by default, with a flag for 5 GHz. Fortunately, as you'll see later on, developers had the forethought to allow specifying a frequency, or set of frequencies. In this post, we'll cover some tooling and take a look at how Wi-Fi 6E operates.
Alfa to the Rescue
As equipment started being available on the consumer market for Wi-Fi 6E, USB adapters supporting the standard were nonexistent. You had to use something with a built-in NIC supporting the standard. Netgear rushed to the finish to release the very first Wi-Fi 6E USB adapter: the Nighthawk AXE3000 (A8000). In my excitement, I pre-ordered it. I struggled for some time to get the mt7921au drivers to build on any system and eventually gave up as I had other priorities.
Then, Alfa stepped in. They released the AWUS036AXML alongside a specially tuned external antenna. I again pre-ordered this from Rokland and waited eagerly for its arrival. Since it has arrived, I've gotten familiar with using it in a variety of applications.
Setup
If you wish to follow along or build on my work here, you'll need the genuine Alfa adapter as well as antennas that are designed to handle Wi-Fi 6E. I recommend using the external antenna I mentioned earlier. With these in hand, you'll probably want to just use Kali and install the kali-tools-wireless meta-package to save yourself any grief.
To actually have the 6 GHz band available to your system, you'll need to run sudo iw reg set US. From here, to see all frequencies the adapter can scan, run iw phy.
Do not use iwlist frequency as this is deprecated and will not provide all channels.
The next step for working with a 6E network is identifying what frequency your target access point transmits on. With your adapter still in managed mode, run sudo iw dev wlan0 scan ap-force | grep -B 5 "SSID_NAME_HERE" and you'll see the frequency.
Now let's set the card to monitor mode and tune it to the specified frequency. We'll do this with the following commands:
sudo ip link set wlan0 downsudo iw dev wlan0 set type monitorsudo iw wlan0 set freq 6375sudo ip link set wlan0 up
Then you can verify by running iwconfig.
Reading and Analyzing Packets
Now that our adapter is ready, we can capture some packets and actually perform analysis of packet structure if you would like. It's also important to ensure that you're using antennas that are properly tuned for the frequencies you'd like to work with, if you're not using the antennas that came with the card or the one shared above, you'll want to get a VNA (Vector Network Analyzer).
At this point, I realized that the frequency set is ignored by airodump. Run sudo airodump-ng wlan0 -C 6375 \--essid your-ap -w desired_filename to scan on the specified frequency, filter by essid, and write to several different files of various formats. It's also important that you're using antennas that are properly tuned for the frequencies you'd like to work with, if you're not using the antennas that came with the card or the one shared above, you'll want to get a VNA (Vector Network Analyzer). If you want to use every frequency available to the card, you can specify -C 0 instead. Once you have a .cap file, you can open it in Wireshark.
Opening the first "Broadcast" packet from the target device, we see a few interesting parameters. Since we're here, I'm going to analyze a couple of these parameters.
Robust Security Networks & Management Frame Protection
The first tag, "RSN Information" is not Wi-Fi 6E specific. This was actually introduced in WPA2 back in 2004. In this particular instance, there are two fields which are active.
The PTKSA (Pairwise Transient Key Association) replay counter assists in preventing, you guessed it, replay attacks. The next two fields are more recent and a highlight of WPA3. While these fields were present for some implementations of WPA2, this was an optional feature and required clients to support it. So what exactly is Management Frame Protection?
If you've ever performed any analysis on Wi-Fi traffic or performed a Wi-Fi pentest, you've probably seen management frames. Using airodump-ng, you can see clients associated to access points or probe requests from clients that are not associated to an access point. Additionally, most typical Wi-Fi pentests revolve around sending de-authentication or disassociation frames to force the four-way handshake to re-occur and capture it. These are all management frames. Management Frame Protection prevents these frames from being sent in cleartext - preventing reconnaissance or exploitation. WPA3 uses both MFPC and MFPR, however you may come across a WPA3 network where you can see associated clients. This occurs because of WPA3 Transition Mode. In this mode, clients that don't support WPA3 will connect using the WPA2 scheme.
The Wi-Fi 6/E High-Efficiency PHY
The High-Efficiency PHY supports higher data rates as it can support modulation up to 1024-QAM as opposed to 256-QAM in the previous generation of Wi-Fi. However the specific portion of the frame we're analyzing consists of PHY capabilities that handle timing, frame aggregation, and power consumption.
The first 3 parameters handle MAC Protocol Data Units (MPDUs) and Aggregate-MPDUs. Again, this all is to handle timing and frame aggregation. The last parameter, Spatial Multiplexing (SM) Power Save is a feature designed to help save power on devices that leverage Multi-Input/Multi-Output (MIMO), and in this case, has been disabled.
Coming Up Soon
In the next installment we'll cover wardriving, configuring Kismet to identify 6 GHz networks, and configuring the network defense tool Nzyme to monitor wireless networks.